From: Tony E. <to...@he...> - 2007-08-19 17:11:09
|
Hi list, A problem: Mark Martinec, a prominent DKIM protagonist also of this list, sends me a message and my dkim-filter fails it. I tell Mark and point out the reason why I think it's failing, and he writes (with asserted rfc4871 documentary proof) that testing.dkim.org passes it and only my site is failing it. His selector is ja-2007, his domain ijs.si My selector is mail2, my domain barlaeus.nl. When I do RR 'digs' on my site and his, I see the following: dig txt ja-2007._domainkey.ijs.si|grep ja-2007 ja-2007._domainkey.ijs.si. 1081 IN TXT "v=DKIM1\; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTly/34cKbR/uKyY2sO6ybQL+T" "/tfSX4VALr1z2Toi+VFFRRXmGwxu1hKRoDJrnlvxzW6Aub7yXSFDR2utlxeygzyC" "LAgIjkNgv2mS47e7cuXmJBUbpl36zwoFaLXjphEMAWyQtWzmElpvZB5YjzZM7YS4" "s5dJO/qmNjmArnZQdwIDAQAB" dig txt mail2._domainkey.barlaeus.nl | grep mail2 mail2._domainkey.barlaeus.nl. 86400 IN TXT "v=DKIM1\; k=rsa\; t=y\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXUe4nPkv9uKSVLnp110vJqlBE9Ushgg/SAccohTfI3hhT05MuCj5043LL+S6DrM3ueT1QeQuFP43UgMF7mPxXTK12FPeCFADBqOWkPSDrgMoQWMn9ccLz+OVgGQBPwzocxHMvyAw0AgG6Wu02lNxmm/rw7nzp4vrQbFmnbuFiTQIDAQAB" Mark is splitting up his RR with white spaces and I'm not. It's worth pointing out that everyone else using up-to-date dkim-milter and registering on my dkim-stats uses a p tag without white spaces; these include (mostly Postfix but some others) kitterman.com, salmi.ch, schetterer.org, resistor.net, charite.de, wit.edu.pl, sendmail.com and dk.elandsys.com. Interestingly enough, sendmail.net is failing. Could the fact that I'm failing him have (and testing.dkim.org isn't) have anything to do with my site.config.m4? The relevant APPENDDEF lines are: APPENDDEF(`confENVDEF', `-D_FFR_HASH_BUFFERING ') APPENDDEF(`confENVDEF', `-D_FFR_REPORTINFO ') APPENDDEF(`confENVDEF', `-D__FFR_DNS_UPGRADE ') APPENDDEF(`confENVDEF', `-D_FFR_SELECT_SIGN_HEADERS ') APPENDDEF(`confENVDEF', `-D_FFR_SET_REPLY ') APPENDDEF(`confENVDEF', `-D_FFR_STATS ') Can't see anything of relevance there - could there be any other reason? Thanks, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
From: Tony E. <to...@he...> - 2007-08-19 17:48:29
|
Jukka Salmi skrev, on 19-08-2007 19:28: > Hi, Hi back, Jukka. I really do wish you'd confine replies to the list; this doesn't help anyone, no one but me sees this. > Tony Earnshaw wrote: > [...] >> Mark is splitting up his RR with white spaces and I'm not. >> >> It's worth pointing out that everyone else using up-to-date dkim-milter >> and registering on my dkim-stats uses a p tag without white spaces; >> these include (mostly Postfix but some others) kitterman.com, salmi.ch, > > in case with whitespace you mean whitespace outside of quoted strings, > that's not quite true: TXT RRs for both selectors I use > (mx[12]._domainkey.salmi.ch.) do have such whitespace. Nope, you format in exactly the same way I do (as per the dkim-milter INSTALL doc); Mark doesn't. Please reread my post and confirm by doing a dig on his RR. Best, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
From: Tony E. <to...@he...> - 2007-08-19 17:51:15
|
Tony Earnshaw skrev, on 19-08-2007 19:47: [...] > Nope, you format in exactly the same way I do (as per the dkim-milter > INSTALL doc); Mark doesn't. Please reread my post and confirm by doing a > dig on his RR. Shoot, I'm wrong, now I can see a whitespace. So what's the reason, gang? --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
From: Tony E. <to...@he...> - 2007-08-19 18:06:11
|
Tony Earnshaw skrev, on 19-08-2007 19:50: > Tony Earnshaw skrev, on 19-08-2007 19:47: > > [...] > >> Nope, you format in exactly the same way I do (as per the dkim-milter >> INSTALL doc); Mark doesn't. Please reread my post and confirm by doing a >> dig on his RR. > > Shoot, I'm wrong, now I can see a whitespace. dkim-stats: barlaeus.nl:1/0 15 pass/0 fail, last l=1, a=1, Sun Aug 19 11:22:17 2007 megan.vbhcs.org:1/1 0 pass/42 fail, last l=1, a=0, Fri Aug 17 18:35:42 2007 kitterman.com:0/0 4 pass/0 fail, last l=1, a=0, Thu Aug 9 16:04:28 2007 salmi.ch:1/0 5 pass/0 fail, last l=0, a=1, Sun Aug 19 19:30:34 2007 schetterer.org:1/0 4 pass/0 fail, last l=0, a=1, Fri Aug 17 14:14:24 2007 resistor.net:0/0 1 pass/0 fail, last l=0, a=1, Fri Aug 17 22:13:57 2007 charite.de:0/0 30 pass/0 fail, last l=0, a=1, Wed Aug 15 21:03:53 2007 wit.edu.pl:1/0 1 pass/0 fail, last l=1, a=0, Wed Aug 8 19:22:08 2007 sendmail.com:1/0 1 pass/0 fail, last l=0, a=1, Fri Aug 17 20:37:52 2007 dk.elandsys.com:0/0 6 pass/1 fail, last l=0, a=1, Fri Aug 17 15:16:31 2007 sendmail.net:1/0 0 pass/2 fail, last l=0, a=1, Thu Aug 16 15:57:50 2007 ijs.si:1/0 0 pass/4 fail, last l=0, a=0, Sun Aug 19 18:55:35 2007 --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
From: Mark M. <Mar...@ij...> - 2007-08-19 18:08:05
|
On Sunday August 19 2007 19:10:26 Tony Earnshaw wrote: > His selector is ja-2007, his domain ijs.si > My selector is mail2, my domain barlaeus.nl. > > When I do RR 'digs' on my site and his, I see the following: > > dig txt ja-2007._domainkey.ijs.si|grep ja-2007 > ja-2007._domainkey.ijs.si. 1081 IN TXT "v=DKIM1\; p=" > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTly/34cKbR/uKyY2sO6ybQL+T" > "/tfSX4VALr1z2Toi+VFFRRXmGwxu1hKRoDJrnlvxzW6Aub7yXSFDR2utlxeygzyC" > "LAgIjkNgv2mS47e7cuXmJBUbpl36zwoFaLXjphEMAWyQtWzmElpvZB5YjzZM7YS4" > "s5dJO/qmNjmArnZQdwIDAQAB" > Mark is splitting up his RR with white spaces and I'm not. You misunderstood, there is no splitting on whitespace there. Also, there is no whitespace inserted. It is just a plain concatenation of TXT RR substrings. You should be reading RFC 1035. Mark |
From: Tony E. <to...@he...> - 2007-08-19 18:15:03
|
Mark Martinec skrev, on 19-08-2007 20:07: [...] >> Mark is splitting up his RR with white spaces and I'm not. > > You misunderstood, there is no splitting on whitespace there. > Also, there is no whitespace inserted. It is just a plain > concatenation of TXT RR substrings. You should be reading > RFC 1035. The crunch is: You are failing and I am not. Jukka isn't, either. WHY? --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
From: Scott K. <iet...@ki...> - 2007-08-19 19:51:16
|
On Sunday 19 August 2007 14:14, Tony Earnshaw wrote: > Mark Martinec skrev, on 19-08-2007 20:07: > > [...] > > >> Mark is splitting up his RR with white spaces and I'm not. > > > > You misunderstood, there is no splitting on whitespace there. > > Also, there is no whitespace inserted. It is just a plain > > concatenation of TXT RR substrings. You should be reading > > RFC 1035. > > The crunch is: You are failing and I am not. Jukka isn't, either. > > WHY? What I'd do in your position is figure out which library is doing the TXT substring concantenation and see if it gets it wrong. That would be my bet. Scott K |
From: Tony E. <to...@he...> - 2007-08-20 11:04:59
|
Scott Kitterman skrev, on 19-08-2007 21:51: [...] > What I'd do in your position is figure out which library is doing the TXT > substring concantenation and see if it gets it wrong. That would be my bet. Good catch, though it wasn't the concatenation. Why didn't I look at the dkim-filter log? 2.1.1 is now giving much better output that earlier versions. All of the messages Mark sent yesterday (Postfix log) failed with: SSL error:04077068:rsa routines:RSA_verify:bad signature. dkim-filter (libdkim) has been built with openssl-0.9.8b-8.3.el5 (Red Hat), all Mark's signatures are signed a=rsa-sha1. But then, so are yours (from earlier) and yours are passing. Maybe someone could comment on that? --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
From: Tony E. <to...@he...> - 2007-08-20 11:28:34
|
Tony Earnshaw skrev, on 20-08-2007 13:04: [...] > Maybe someone could comment on that? 'man 3 RSA_sign' gives some interesting info, but not enough ... --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
From: Mark M. <Mar...@ij...> - 2007-08-19 21:53:20
|
> The crunch is: You are failing and I am not. Jukka isn't, either. > WHY? My guess is that DNS issues are a false lead, and that something else is wrong. If someone care to try, here is one of the messages Tony is talking about, exactly as received by Tony (he sent me back a full copy of my own message): http://www.ijs.si/~mark/tmp/1.msg.gz It still verifies just fine when I pass it through my dkim-milter 2.1.1 or 1.2.0 or Mail::DKIM. Mark |
From: Jukka S. <j+d...@20...> - 2007-08-20 12:00:14
|
Mark Martinec --> dkim-milter-discuss (2007-08-19 23:53:13 +0200): > > The crunch is: You are failing and I am not. Jukka isn't, either. > > WHY? > > My guess is that DNS issues are a false lead, and that something else > is wrong. > > If someone care to try, here is one of the messages Tony is talking about, > exactly as received by Tony (he sent me back a full copy of my own message): > > http://www.ijs.si/~mark/tmp/1.msg.gz > > It still verifies just fine when I pass it through my dkim-milter 2.1.1 > or 1.2.0 or Mail::DKIM. Verifies fine here: X-DKIM: Sendmail DKIM Filter v2.1.1 mx2.salmi.ch 6F5C2A996 Authentication-Results: mx2.salmi.ch; dkim=pass (1024-bit key) header.i=@ijs.si $ dig ja-2007._domainkey.ijs.si. txt | grep ^ja ja-2007._domainkey.ijs.si. 3229 IN TXT "v=DKIM1\; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTly/34cKbR/uKyY2sO6ybQL+T" "/tfSX4VALr1z2Toi+VFFRRXmGwxu1hKRoDJrnlvxzW6Aub7yXSFDR2utlxeygzyC" "LAgIjkNgv2mS47e7cuXmJBUbpl36zwoFaLXjphEMAWyQtWzmElpvZB5YjzZM7YS4" "s5dJO/qmNjmArnZQdwIDAQAB" Regards, Jukka -- bashian roulette: $ ((RANDOM%6)) || rm -rf ~ |
From: Jukka S. <j+d...@20...> - 2007-08-19 18:41:46
|
Tony Earnshaw --> dkim-milter-discuss (2007-08-19 19:47:50 +0200): > Jukka Salmi skrev, on 19-08-2007 19:28: > > Hi, > > Hi back, Jukka. > > I really do wish you'd confine replies to the list; this doesn't help > anyone, no one but me sees this. Thanks for the explanation. And please stop forwarding messages which I intentionally send to you exclusively to the list. -- bashian roulette: $ ((RANDOM%6)) || rm -rf ~ |
From: Tony E. <to...@he...> - 2007-08-19 19:04:31
|
Jukka Salmi skrev, on 19-08-2007 20:41: [...] > Thanks for the explanation. And please stop forwarding messages which > I intentionally send to you exclusively to the list. If I write to the list, I expect answers on the list and wish for no personal replies. Normally, I'd immediately delete such; didn't in this case. Best, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
From: Murray S. K. <ms...@se...> - 2007-08-20 17:52:43
|
If we have eliminated that recent canonicalization bug (it's only present in the "relaxed" body canonicalization code, which Mark isn't using) and the spaces-in-key-records question (I agree with Mark, that's probably a false lead), I'd encourage you guys to use the debugging features in your respective filters to save the canonicalized forms and diff them. You can either: (a) both set the DKIMDEBUG environment variable to "c" and restart the filter, saving canonicalized forms to /var/tmp; then exchange and "diff" them to spot the differences; OR (b) Mark can set DKIMDEBUG as above, Tony can restart his filter with "-R", and then Mark can set an "r=" tag in his SSP record to contain a debugging address, and then Mark can send a message to Tony; if it fails, Tony's filter will reply with its canonicalized forms in a separate message and Mark can diff them to what his side saved (c) Mark can set "Diagnostics" to "True" in his configuration file (adding z= tags to the signatures he generates; these can be large); Tony can re-compile with _FFR_ZTAGS and then set "DiagnosticsDirectory" to be a location into which analysis is stored when verifications fail If the canonicalizations are the same at both ends, there's a verification problem possibly involving key retrieval; if they're not the same, there's a problem with canonicalization and/or data modification in transit. The fact that only one recipient is having that problem makes me think it's localized and thus more likely a transit problem of some kind. One other possibility I can think of: Could there be an older public key in Tony's cache? -MSK |
From: Mark M. <Mar...@ij...> - 2007-08-20 18:28:35
|
Murray S. Kucherawy writes: > If we have eliminated that recent canonicalization bug (it's only present > in the "relaxed" body canonicalization code, which Mark isn't using) and > the spaces-in-key-records question (I agree with Mark, that's probably a > false lead), I'd encourage you guys to use the debugging features in your > respective filters to save the canonicalized forms and diff them. You can > either: > > (a) both set the DKIMDEBUG environment variable to "c" and restart the > filter, saving canonicalized forms to /var/tmp; then exchange and "diff" > them to spot the differences; OR The canonicalized output of the test mesage 0.msg is available at: http://www.ijs.si/~mark/tmp/0.tar.gz It looks correct, which has already been confirmed by three independent sources. > The fact that only one recipient is having that problem makes me think > it's localized and thus more likely a transit problem of some kind. Doesn't seem to be transient, all my messages are failing verification at Tony's site, and verify correctly for others. > One other possibility I can think of: Could there be an older public key > in Tony's cache? I never changed a key value on this selector, so it is unlikely to be a caching problem. Mark |